$280 million of Ethereum Locked Up After Code Error in Popular Wallet

With the stroke of a few keys, hundreds of thousands of Ethereum users saw their ETH locked out from them. And the fix could require a “hard fork”. The wallets affected are “multisignature” wallets. If you recall, these multisignature wallets were also the target of a $32 million hack back in July of this year.

The “fix” to close that hack has led to this new problem, a problem created, it seems, when “devops199” somehow accidently became the sole owner of the multisignature wallets under Parity. The response by devops199 was to quickly “kill” the contract, which effectively locked everyone out of the Parity wallet.

On Tuesday, a single user permanently locked down dozens of digital wallets containing nearly $300 million dollars worth of ether, the unit of exchange on the Ethereum platform, allegedly by accident.

Now, some in the Ethereum community are considering the possibility of a risky network split, known as a “hard fork,” to fix it.

The affected wallets—known as “multisignature” wallets because they require multiple people to sign off before funds are moved, making them popular with companies—were all created with Parity, a popular program for digital wallets. Parity multisignature wallets experienced a bug in July that allowed a hacker to steal $32 million in funds before the Ethereum community scrambled to band together to hack back and secure the rest of the vulnerable ether.

According to a blog post released by Parity on Tuesday, the code that fixed the July bug contained another vulnerability. That vulnerability allowed a user known as “devops199” on GitHub, a site for developers to collaborate on open source code, to allegedly accidentally trigger a function that turned the contract governing Parity multisignature wallets into a regular wallet address and made him or her the owner. Devops199 then killed this wallet contract, or, as Parity put it, “suicided” it. This made all multisignature wallets tied to that contract instantly useless, their funds locked away with no way to access them.

If the story is true, it seems like Devops199 was jiggling door handles and when one door opened, they tried to close it and the whole house exploded.

“We are asking for everyone to be patient until the full extent of the issue has been identified and we will communicate any necessary instructions or advice,” a Parity spokesperson wrote me in an email. “We are advising users not to deploy any further multi-sig wallets until the issue has been resolved and to not send any Ether to wallets that have been deployed and are in use already.”

Devops199 made an appearance in the Parity chat channel after the incident. “I’m [an Ethereum] newbie… just learning,” devops199 wrote. “You’re famous now lol,” replied another user. When I reached devops199 for comment on the incident, they replied, “Sorry… I’m really afraid now… can’t talk.”

Paul Gordon is the publisher and editor of iState.TV. He has published and edited newspapers, poetry magazines and online weekly magazines.
He is the director of Social Cognito, an SEO/Web Marketing Company. You can reach Paul at pg@istate.tv